Simple, persistent split-horizon DNS configuration for OpenWrt/Gargoyle and Ubiquiti UDM Pro
You've set up port forwarding to access your NVR, cameras, or servers from the internet - and it works perfectly from outside your network. But when you try to use the same URL from inside your local network, it fails. This is called the "Hairpin NAT" problem (also known as NAT loopback or NAT reflection).
Your Setup:
- NVR on local network:
192.168.55.19 - Public IP:
203.0.113.39 - Port forwarding: External
8000β Internal80 - External DNS:
nvr8000.factory.example.comβ203.0.113.39
From Outside (Works β ):
- You visit:
http://nvr8000.factory.example.com:8000 - DNS resolves to:
203.0.113.39(public IP) - Router forwards port
8000to192.168.55.19:80 - Connection successful!
From Inside Your Network (Fails β):
- You visit:
http://nvr8000.factory.example.com:8000 - DNS resolves to:
203.0.113.39(same public IP) - Traffic goes OUT to router's WAN interface
- Router tries to "hairpin" traffic back inside
- FAILS - Most routers don't support hairpin NAT!
When you're inside your network trying to reach your own public IP, the router needs to perform "hairpin NAT" - receiving traffic from inside and looping it back inside. This feature is:
- β Not supported by most consumer routers (TP-Link, Netgear, Asus, Linksys)
- β Not supported by many Gargoyle configurations
- β Not supported by some UDM Pro configurations
β οΈ Inconsistent - May work on some firmware versions, fail on othersβ οΈ Wasteful - Even if it works, it wastes bandwidth and doubles latency
Visual Example:
Inside Factory (Hairpin NAT Required):
βββββββββββββββ
β Your PC β "Connect to nvr8000.factory.example.com:8000"
β 192.168.55.5β DNS says: 203.0.113.39
ββββββββ¬βββββββ
β Traffic goes OUT...
βΌ
βββββββββββββββ
β Router β β "Hairpin NAT not supported!"
β WAN: 203. β Traffic trying to loop back
β LAN: 192. β Connection FAILS
βββββββββββββββ
β Use Public IP from Outside, Local IP from Inside
- Requires two different bookmarks
- Confusing for users
- Easy to use the wrong one
- More documentation needed
β Set Up a VPN
- Complex setup
- Requires VPN client software
- Always-on VPN slows down internet
- Costs money (or significant setup time)
- Overkill for simple device access
β Use Reverse Proxy (Nginx, Traefik)
- Only works for HTTP/HTTPS
- Doesn't help local LAN users
- Adds complexity
- Single point of failure
β Just Deal With Different URLs
- Internal:
nvr.localor192.168.55.19 - External:
nvr.factory.example.com:8000 - Users must remember which to use where!
Split-horizon DNS (also called split-brain DNS) solves the hairpin NAT problem by making the same URL work everywhere - it gives different answers depending on where you ask from:
- External queries (from the internet) β Public IP addresses
- Internal queries (from local network) β Private IP addresses
Same URL, Different Destinations:
From Outside Your Network:
- You visit:
http://nvr8000.factory.example.com:8000 - External DNS resolves to:
203.0.113.39(public IP) - Port forwarding:
8000β192.168.55.19:80 - β Works perfectly!
From Inside Your Network:
- You visit:
http://nvr8000.factory.example.com:8000 - Local DNS override resolves to:
192.168.55.19(local IP!) - Direct local connection - no routing needed
- β Works perfectly!
Visual Example:
With Split-Horizon DNS:
βββββββββββββββ
β Your PC β "Connect to nvr8000.factory.example.com:8000"
β 192.168.55.5β LOCAL DNS says: 192.168.55.19 (not the public IP!)
ββββββββ¬βββββββ
β Direct connection...
βΌ
βββββββββββββββ
β NVR β β
Direct connection!
β 192.168.55.19β Fast, no routing needed
βββββββββββββββ
β Single URL everywhere - Same bookmark/link works at office and remotely β No VPN required - Works automatically for basic access β Fast local access - Direct connection to devices on your LAN β No hairpin NAT needed - Bypass the router limitation entirely β Reduced bandwidth - Internal traffic stays internal β Free to implement - No subscription fees or additional hardware β Simple configuration - Set up once per location β User-friendly - Users don't need to think about network location
You need split-horizon DNS if:
- β You have port forwarding set up for remote access
- β It works from outside your network but fails from inside
- β You want to use the same URL everywhere
- β You have multiple sites (offices, warehouses, factories)
- β You access NVRs, cameras, servers, or services remotely
- β You don't want to set up a VPN for every user
Common scenarios:
- Security camera/NVR systems at multiple locations
- Small business with branch offices
- Home lab with remote access
- Multi-site infrastructure management
- Any device with port forwarding that needs to work locally too
Without split-horizon DNS:
You @ Office β nvr.office.example.com β Internet β Router β β FAILS (hairpin NAT)
You @ Home β nvr.office.example.com β Internet β Router β β
Works
Problem: Same URL doesn't work everywhere!
With split-horizon DNS:
You @ Office β nvr.office.example.com β Direct local connection β β
Works (fast!)
You @ Home β nvr.office.example.com β Internet β Router β β
Works
Solution: Same URL works everywhere, automatically!
This is a semi-advanced solution that requires:
-
β A Domain Name You Own
- You must purchase and control a domain (e.g.,
example.com) - Costs: ~$10-15/year from registrars like Namecheap, GoDaddy, Cloudflare
- OR use a subdomain if you already own one
- Alternative: Free dynamic DNS services (DuckDNS, No-IP) work but have limitations
- You must purchase and control a domain (e.g.,
-
β Root/SSH Access to Your Router
- Must be able to SSH into your router as root/admin
- Requires command-line access (not just web interface)
- Your router must support SSH (most prosumer/enterprise routers do)
-
β Command-Line Knowledge
- Comfortable using SSH and basic Linux commands
- Able to edit text files via command line (
vi,nano) - Understand concepts like IP addresses, DNS, port forwarding
-
β Router Compatibility
- UDM Pro, OpenWrt, Gargoyle, or similar router with SSH access
- Consumer routers (most TP-Link, Netgear, Asus) typically won't work
You'll be comfortable with this if you:
- β Have set up port forwarding before
- β Know how to SSH into a Linux server or router
- β Understand what DNS is and how it works
- β Can follow command-line instructions carefully
This might be too advanced if you:
- β Have never used SSH or command line before
- β Don't own a domain name and don't want to purchase one
- β Only have a basic consumer router without SSH access
- β Are uncomfortable editing configuration files
If this seems too complex, consider:
| Solution | Complexity | Cost | Best For |
|---|---|---|---|
| VPN (Tailscale, ZeroTier) | Easy | Free tier available | Beginners, small setups |
| Cloud Relay (Cloudflare Tunnel) | Medium | Free tier available | Web services only |
| Separate URLs | Very Easy | Free | Small setups, willing to remember 2 URLs |
If you're ready to proceed and have the requirements above, continue reading!
Split-horizon DNS itself is just a DNS configuration technique - it doesn't create security risks. However, this guide assumes you're using port forwarding to access devices remotely, which DOES expose your devices to the entire internet.
When you port forward to access your NVR, cameras, or servers remotely:
What You're Doing:
Internet (Anyone in the world)
β
Your Public IP:8000
β
Your NVR (now accessible to everyone)
The Risks:
- π΄ Exposed login pages - Attackers can attempt to brute-force your passwords
- π΄ Vulnerable devices - Many NVRs/cameras have known security vulnerabilities
- π΄ Botnet recruitment - Compromised devices can be used in DDoS attacks
- π΄ Data theft - Attackers could access your camera feeds, recordings, data
- π΄ Network entry point - Compromised device could be used to attack your network
- π΄ Unencrypted traffic - HTTP connections can be intercepted
The MOST SECURE approach is to NOT use port forwarding at all:
VPN Approach (Recommended for Security):
You β VPN β Appears on local network β Direct access to devices
Why VPN is more secure:
- β No ports exposed to internet
- β Encrypted tunnel
- β Authentication required before any access
- β No direct device exposure
- β Can access ALL devices, not just specific ports
VPN Options:
- Tailscale (easiest) - Free for personal use, works with UDM Pro
- WireGuard (fast) - Free, built into many routers
- OpenVPN - Free, widely supported
- Built-in VPN - UDM Pro has built-in VPN server
If VPN isn't feasible for your use case, implement these security measures:
- β NEVER use default passwords (admin/admin, admin/12345, etc.)
- β Use complex passwords: 16+ characters, mix of letters/numbers/symbols
- β Enable two-factor authentication (2FA) if available
- β Disable or rename default admin accounts
- β Don't use HTTP (unencrypted)
- β Use HTTPS with valid SSL/TLS certificates
- β Consider Let's Encrypt for free certificates
- β Force HTTPS redirects
- β Use firewall rules to restrict access by IP address/country
- β Only allow access from known IPs if possible
- β Block countries you don't need access from
- β Use non-standard ports (not 8000, 8080, etc.) - helps avoid automated scans
- β Put cameras/NVRs on isolated VLAN
- β Prevent compromised devices from accessing main network
- β Firewall rules between VLANs
- β Regularly update device firmware
- β Subscribe to security advisories for your devices
- β Replace devices that no longer receive updates
- β Regularly review login attempts
- β Set up alerts for failed login attempts
- β Use fail2ban or similar to block brute-force attacks
- β Cloudflare Tunnel - Protects web-based services
- β Reverse Proxy - Add authentication layer (Authelia, etc.)
- β Port Knocking - Hide ports until specific sequence
| Approach | Security Level | Convenience | Complexity |
|---|---|---|---|
| VPN Only | π’ Very High | Medium | Medium |
| Cloudflare Tunnel | π’ High | High | Medium |
| Port Forward + Security Best Practices | π‘ Medium | High | Low-Medium |
| Port Forward + Weak Passwords | π΄ Very Low | High | Low |
| Port Forward + Default Credentials | π΄ Critical Risk | High | Low |
For home users:
- Best: Set up VPN (Tailscale is easiest) - use split-horizon DNS internally only
- Good: Port forwarding with ALL security best practices above
- Acceptable: Port forwarding for non-sensitive devices only (not cameras in private areas)
For businesses:
- Required: VPN or zero-trust solution (Cloudflare Access, etc.)
- Minimum: Port forwarding only with corporate security policies enforced
Split-horizon DNS is a useful DNS technique, but:
- β Use it WITH a VPN for maximum security
β οΈ Use it WITH port forwarding only if you implement security best practices- β NEVER expose devices with default passwords or unencrypted HTTP
Remember: Every open port is a potential entry point for attackers. The question isn't "if" but "when" automated scanners will find your exposed ports.
This guide supports:
- β Ubiquiti UniFi Dream Machine Pro (UDM Pro) - Firmware 4.x+
- β OpenWrt - 21.x, 22.x, 23.x
- β Gargoyle - 1.13.x, 1.14.x, 1.15.x (OpenWrt-based)
- Control of your external DNS (registrar or DNS provider)
- SSH access to your router
- Basic command-line knowledge
- Static or DHCP-reserved IPs for your devices
- Configure external DNS - A records pointing to public IPs
- Configure internal DNS - Local overrides on each router
- Make configuration persistent - Survives reboots and firmware updates
- Test and verify - Ensure it works locally and remotely
Select the guide for your hardware:
π UDM Pro Setup Guide - For Ubiquiti Dream Machine Pro π OpenWrt/Gargoyle Setup Guide - For OpenWrt and Gargoyle routers
Important best practice:
π‘ Port-in-Name Convention Guide - Recommended! Include the port number in your domain name (e.g., nvr8000.factory.example.com means external port 8000). This makes your configuration self-documenting and prevents mistakes.
Access your home servers, NAS, and services using clean domain names both at home and remotely.
Example:
nas443.home.example.comβ 192.168.1.100 (local) / 203.0.113.50:443 (external)plex32400.home.example.comβ 192.168.1.101 (local) / 203.0.113.50:32400 (external)
Note: Port numbers in domain names (like
443,32400) indicate the external port for remote access. See Port-in-Name Convention.
Consistent URLs across office locations for cameras, servers, and infrastructure.
Example:
nvr8000.factory.example.comβ 192.168.55.19 (local) / 203.0.113.39:8000 (external)nvr8001.factory.example.comβ 192.168.55.124 (local) / 203.0.113.39:8001 (external)alarm8002.factory.example.comβ 192.168.55.95 (local) / 203.0.113.39:8002 (external)
Centralized access to NVRs, cameras, and alarm systems across multiple locations - perfect use case for port-in-name convention!
Example (Factory Setup):
nvr8000.factory.example.comβ External port 8000, Local IP 192.168.55.19nvr8001.factory.example.comβ External port 8001, Local IP 192.168.55.124alarm8002.factory.example.comβ External port 8002, Local IP 192.168.55.95
Benefits: Domain name tells you exactly which port to use remotely - no documentation needed!
Recommended approach:
nvr8000.office.example.com β Use port 8000 externally
nvr8001.office.example.com β Use port 8001 externally
server443.office.example.com β Use port 443 externally
Why this is better:
- β Self-documenting - no need to look up which port to use
- β Clear and consistent
- β Prevents configuration errors
- β Easy to remember
Avoid:
nvr1.office.example.com β Which port? Need to look it up!
nvr2.office.example.com β Is this 8000? 8001? 8080?
How it works:
- Locally: Domain resolves directly to device, no port needed
- Externally: Domain name tells you which port to use
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β External DNS Provider β
β (GoDaddy, Cloudflare, Route53, etc.) β
β β
β nvr.office.example.com β 203.0.113.10 (Public IP) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β²
β
External Query (from internet)
β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββ
β Your Office Router β
β (UDM Pro / OpenWrt / Gargoyle) β
β β
β Internal DNS Override (dnsmasq): β
β nvr.office.example.com β 192.168.1.100 (Local IP) β
βββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β
Internal Query (from LAN)
β
βΌ
ββββββββββββββββββββ
β NVR Device β
β 192.168.1.100 β
ββββββββββββββββββββ
Internal user on LAN:
- Client queries:
nvr.office.example.com - Router's dnsmasq intercepts
- Local override returns:
192.168.1.100 - Client connects directly to device on LAN β
External user on internet:
- Client queries:
nvr.office.example.com - External DNS provider responds:
203.0.113.10 - Client connects through internet to public IP β
- β Persistent across firmware updates - Uses on-boot-script
- β Automatic restart - dnsmasq auto-restarts after config change
- β Clean integration - Doesn't interfere with UniFi settings
- β
Easy to maintain - Simple script in
/datapartition
- β
Persistent across reboots - Uses
/etc/rc.local - β Simple configuration - Just edit dnsmasq.conf
- β Easy to restore - Quick SSH command to re-apply
β οΈ May need reapplication after major firmware updates
split-horizon-dns/
βββ README.md (this file)
β
βββ docs/
β βββ udm-pro-guide.md # Complete UDM Pro setup
β βββ openwrt-gargoyle-guide.md # Complete OpenWrt/Gargoyle setup
β βββ troubleshooting.md # Common issues and fixes
β βββ examples.md # Real-world examples
β
βββ scripts/
βββ udm-pro/
β βββ 10-custom-dns.sh # Template boot script
βββ openwrt/
βββ rc.local-snippet.sh # Template rc.local addition
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
Ways to contribute:
- Report issues or bugs
- Improve documentation
- Add examples for different use cases
- Test on different firmware versions
- Share your success stories
This guide has been tested on:
| Hardware | Firmware Version | Status |
|---|---|---|
| UDM Pro | 4.4.6 | β Working |
| Gargoyle | 1.15.x | β Working |
| OpenWrt | 23.05.x | β Working |
| OpenWrt | 22.03.x | β Working |
Have you tested on other configurations? Please open an issue to let us know!
Common issues? Check the Troubleshooting Guide.
Quick links:
VPN Approach:
- β More complex setup
- β Always-on VPN client required
- β Performance overhead
- β Can interfere with local networking
Split-Horizon DNS:
- β No client configuration needed
- β Works automatically
- β Zero performance impact
- β Simple and elegant
You can! These solutions work great with split-horizon DNS. In fact, you can run Pi-hole/AdGuard and implement split-horizon DNS in them instead of on the router.
This guide focuses on router-level implementation for:
- Simpler architecture (no additional hardware/containers)
- Works even if Pi-hole/AdGuard fails
- Good for those who don't run separate DNS servers
This project is licensed under the MIT License - see the LICENSE file for details.
- unifios-utilities - For the excellent on-boot-script for UDM Pro
- OpenWrt community - For the robust dnsmasq implementation
- Gargoyle project - For the user-friendly OpenWrt fork
- π Found a bug? Open an issue
- π‘ Have a suggestion? Start a discussion
- β Find this useful? Give it a star!
- Initial release
- UDM Pro guide
- OpenWrt/Gargoyle guide
- Troubleshooting documentation
- Example scripts
Ready to get started? Choose your guide:
π UDM Pro Setup Guide β
π OpenWrt/Gargoyle Setup Guide β